Yahoo Confirms Data From Millions Of Accounts Stolen In 2014
RENEE MONTAGNE, HOST:
One of Yahoo's more popular services is its free email. Now the tech giant has revealed at least half a billion user accounts have been hacked. It's one of the largest data breaches on record. Yahoo says the theft occurred two years ago but they only detected it this summer. Then they waited until now to warn customers. NPR's Aarti Shahani has more.
AARTI SHAHANI, BYLINE: No version of the story looks good for Yahoo. Either the company had an inkling about being hacked back in 2014 and just didn't say anything, or what the company claims is true - they just discovered the breach this summer, which means it took them two years to detect that half of their user accounts were stolen.
ANNE MCKENNA: That's very unusual and very troubling on many levels.
SHAHANI: That's Anne McKenna, a law professor at Pennsylvania State University. Most states in the U.S. have rules that require companies to inform their users when data has been stolen. And it has to happen in a reasonable period of time.
It took Yahoo an unreasonable period of time, cybersecurity experts say. And today, the company based in California has not shown compliance with its state laws. Anne McKenna.
MCKENNA: Yahoo has yet to provide to the public - here's how we think the breach occurred. Here's your exact information that was taken.
SHAHANI: The company issued only a generic letter to users yesterday, saying hackers got Yahoo emails, real names, phone numbers, dates of birth and passwords. Yahoo says hackers did not get credit card and bank account numbers. And the company did not offer credit monitoring, even though your stolen email and password might be used to access financial accounts, as many people recycle passwords.
MCKENNA: Yahoo's just telling everybody, hey, hey, if you haven't changed your password since 2014, just go ahead and change them.
SHAHANI: Yahoo did not inform Verizon, the company which had agreed to buy them over the summer for nearly $5 billion. Verizon issued a curt statement yesterday, saying it was just informed this week of the break-in, while after, they jointly announced their deal.
Yahoo says federal agents are investigating. And the hackers were state-sponsored, meaning a foreign government was behind this. But the company provided no further details in order, quote, "to prevent the actors from learning our detection methods." Aarti Shahani, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.